Email Encryption: Doing It The Right Way (And The Wrong Way)

More and more data is moving to the cloud. It shouldn't come as a surprise, then, that online hacking is currently the top reason for data breaches (depending on which metric you're using), followed quite closely by yesteryear's number one contender – the loss of laptops and other data storage devices that weren't safeguarded with full disk encryption or similar protection.

There are many approaches to securing data, but protecting email may be one of the trickiest due to the nature of the medium.

Securing Email – A Sisyphean Endeavor?

Email powers modern business and will do so for many years to come; reports of its death, like Mark Twain's at one point, have been greatly exaggerated. The continued use of this communication medium makes the use of information security tools imperative.

The reason why email is hard – some say impossible – to completely secure it is that, first of all, you can't go about it alone. Correspondence requires a second party, and if that second party is not interested in securing his electronic communiques, there's not really much you can do.

(Incidentally, this is not true for certain work or business environments. For example, if you happen to be a contractor or subcontractor to a HIPAA covered entity – i.e., you're a HIPAA business associate – you could be asked to secure your email and other data that contains protected health information.)

Even when focusing on things that are supposedly within your control, it's impossible to completely secure email because of the way people work with it. Take me, for example. I am able to access my email using a number of methods: (1) via the web, using a browser that connects to my company's email server or by downloading it to (2) my laptop, which runs Outlook; (3) my iPad, via the configuration of the Mail app; and (4) my Android smartphone and its Mail app. Obviously, BYOD has made inroads in our company.

The most secure way of accessing email (dubious as the claim may be) would be to work with #1 regardless of the device. Why is this the most secure? Because the email message always remains on the server (which we assume is properly protected by professionals who know what they're doing). The other three methods require that email be downloaded to each respective device – which is just another way of saying that the email is being copied – and thus means there is more than one thing to secure, one server vs. "n" objects (in my case, three. Imagine what this would mean if all employees had the same number of devices. With 25 employees, you'd have to secure email on 76 devices, the central server and 25 x 3 devices each. That can't be easy for the guy who's managing IT security.)

Thankfully, there are a number of ways to prevent email on devices from becoming a data breach trigger.

The easiest and most pragmatic approach to securing data on portable devices is to use smart phone encryption and laptop encryption. Both methods use full disk encryption to secure the entirety of a device, meaning that emails as well as other data are protected from unwanted access.

In addition, for smartphones and tablets, a mobile device management (MDM) solution allows finer, granular control over other security aspects of the device, such as the setting up VPNs, password policies, Wi-Fi provisioning, remote data wipe and deletion, and other security policies.

The same goes for laptops. Full disk encryption (FDE) prevents access to the computer, ensuring that email and other sensitive documents remain unread by unauthorized eyes. With a solution like AlertBoot FDE, remote data wiping is also possible (although such technology cannot be relied on because it requires a missing laptop to be online for data erasure to work. It's always better to use encryption with a strong password and use remote deletion as a backup that builds on FDE). Other security features, like password policies, are also available.

Use Email Encryption on Servers

For the actual servers holding and powering a company's email system, there are basically two approaches to securing the data: server encryption and email encryption. When it comes to email, the latter is a better approach.

Server encryption is essentially the use of FDE on a server, although more than likely, it's a technology known as volume encryption. This widely used approach is not an effective way to secure emails on a server. While it does provide some protection, the game changes if a hacker gains access into the OS, especially at the root control level. At this point, it's as if the hacker was accessing the server just like a system administrator is accessing the server. Indeed, from a computer's point of view, there is no difference.

AlertBoot Email Encryption works using a different approach. Instead of encrypting a server, each mailbox is encrypted with its own independent key. If a hacker (or even a rogue or nosy sys admin) were to try to access the email server, he would find a formidable obstacle when attempting to read the email. The attempt to crack encryption would yield the fruits of one mailbox only, further limiting a data breach in the event a hacker gets lucky.

Combing both FDE for independent endpoints and email encryption for the email servers, modern businesses can ensure that the risk of a email data breach is minimized as much as possible.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.